1. Field of the Invention
The present invention relates generally to a network security system. More particularly, the present invention relates to a method and apparatus for filtering a packet using data contained within the packet.
2. Description of the Related Art
Communication on most networks is accomplished through the sending of information in packets. Typically, each packet comprises a packet header and packet data. For example, the packet header often will include a source address and a destination address. Packet switched networks may differ in their technical design, such as the number or contents of the layers present and the protocols used. For example, the Macintosh AppleTalk network uses a Name-Binding Protocol (NBP) that maintains a table containing an internet address and name of each entity that is visible to other entities on the internet.
In accordance with the Name-Binding Protocol, each device, or node, attached to an AppleTalk network has a unique AppleTalk entity name. An AppleTalk entity name includes three fields: object, type, and zone. The first field, the object, is assigned by the entity as a logical identifier of the entity (e.g., the name of the computer user). The second field, the type, is assigned by the entity, and may be used to identify the device type of the entity (e.g., printer, computer, file server, facsimile). The third field, the zone, is a logical grouping of a subset of the nodes on the internet. In this manner, the internet may be divided into zones, each of the zones defining a logical group of addresses. For example, zone designations would be useful in separating departments within a company. This would permit a common user name such as John Smith to be used in combination with a given department (e.g., legal) to distinguish other users having the same user name. The Name-Binding Protocol supplies the internet address of each network-visible entity in the internet by providing its name. Thus, the Name-Binding Protocol maps each name to an internet address, thereby providing the link between a user-supplied name for an entity and the internet address that is used by the protocol used to send and receive data packets.
Even if a packet has been sent, it may not be desirable for various reasons to forward the packet to its destination. For instance, most local area network (LAN) interfaces have a promiscuous mode, in which all packets are forwarded to a receiving host, such as a computer or a printer. However, for most applications, promiscuity is not desirable. Instead, a packet may be filtered in accordance with specific criteria such as the destination address of the packet. A packet is filtered when the packet is discarded rather than forwarded. Accordingly, through the insertion of a switching element such as a router or bridge, it is possible to isolate portions of the network through the use of filtering.
Filtering is often performed to provide a level of security within a network. In a widely used approach, filtering is performed based on the source and/or destination addresses contained within the packet header. Most packet filtering is implemented with a single packet filter applying a set of rules to all packets incoming or outgoing from a network device. This approach is limiting, especially when a device services different networks or parts of a single network that have different security policies. Although packet data has not traditionally been used in filtering mechanisms, packet data often contains useful information. By way of example, each AppleTalk entity name includes the type of a sending or receiving host (e.g., a printer) in accordance with the Name-Binding Protocol. Typically, the Name-Binding Protocol is used to advertise services rather than limit access to these services. However, it would be beneficial if such information were used to prevent or hide access to groups of various resources on the network, such as printers, file servers and applications. As can be appreciated, security breaches and unwanted network traffic could be greatly reduced if filtering of packets could be performed based upon the type of resource, or other logical grouping of network resources. Accordingly, it would be desirable to filter packets in accordance with the content of the packet data. It would also be desirable if security could be implemented in a security device with different security rules being implemented for incoming and outgoing packets, as well as for packets incoming from or outgoing to different paths.
In view of the above, a system and method for providing a device level security mechanism using packet data would be desirable. Additionally, it would be beneficial if a system and method were developed for filtering packets in accordance with the packet data rather than the packet header.
The present invention is a system and method for providing a device level security mechanism in a network. This is accomplished through the filtering of each packet using the packet data rather than the packet header. Accordingly, network traffic may be monitored and controlled using this filtering mechanism.
In accordance with one aspect of the present invention, a method and system for filtering a packet in a network is disclosed. The packet includes a packet header and packet data. Initially, the packet is intercepted. It is then determined if an access list exists for the packet, the access list including filtering criteria that dictates filtering of the packet in accordance with contents of the packet data. If no access list is determined to exist for the packet, the packet is forwarded. However, if an access list is determined to exist for the packet, the packet is filtered in accordance with the filtering criteria stored in the access list.
In accordance with another aspect of the present invention, the filtering step further includes parsing the packet to obtain the packet header and the packet data, searching the filtering criteria in the access list for an entry corresponding to the parsed packet data to obtain selected packet filtering criteria, and dropping the packet in accordance with the selected packet filtering criteria.
In accordance with another aspect of the present invention, a default mode may be established for use in instances when no access list exists for a given packet. The default mode may be a send mode in which the packet is forwarded or a drop mode in which the packet is dropped. Accordingly, the packet may be forwarded only when the default mode is the send mode.
In accordance with yet another aspect, the present invention may include setting up a filtering mode in addition to the default mode. The filtering mode may comprise a send mode in which the packet is forwarded, or a drop mode in which the packet is dropped. The searching step fails if the selected packet filtering criteria is not obtained, and otherwise passes. If the searching step fails, the packet is forwarded only if the filtering mode is the send mode. However, if the searching step passes, the packet is discarded in accordance with the selected packet filtering criteria. Thus, the filtering mode is useful if an access list for a given packet exists but does not contain filtering criteria corresponding to the parsed packet data.
In accordance with another aspect of the present invention, the present invention provides a switching element for filtering a packet in a network. Such a switching element includes a processor and a memory. The memory has stored therein (1) means for intercepting a packet; (2) means for determining if an access list exists for the packet, the access list including filtering criteria that dictates filtering of the packet in accordance with contents of the packet data; (3) means for forwarding the packet if no access list is determined to exist for the packet; and (4) means for filtering the packet in accordance with the filtering criteria stored in the access list if an access list is determined to exist for the packet. Accordingly, each of the entries in the access list may designate filtering criteria associated with the source or the destination of the packet. For example, an access list may be placed at both ingress and egress lines within the router. Hence, two levels of filtering may be provided to ensure system security.
The advantages of filtering a packet in accordance with the contents of the packet data are numerous. The present invention may be used to prevent access to or hide the existence of various resources or devices within the network, such as printers, file servers and applications. For example, in an AppleTalk network, zone designations may be used to prevent the sending of packets between various zones. Similarly, device types may be used to limit access to various devices. As a result, security breaches may be substantially diminished. In addition, unwanted network traffic may be minimized through the use of the present invention. Moreover, if a network is partitioned into segments by firewalls using the packet data, a disruption will spread only as far as the firewall, therefore affecting only a portion of the network.